This week was a busy one for me, as I’m finally done traveling for awhile and and got back to working on NTOSpider6 and our growing team. I should be able to keep up with this weekly post again, and will keep you all informed about the important news in web app security.
- Larry Suto study of WAF Effectiveness has finally gotten out, and received some attention.
- My comments about the study
- Response to WAF/IDS/IPS Effectiveness Report – Jim Broome’s “I told you so” blog post
- Effectiveness of web application firewalls (Help Net Security)
- Well-tuned WAFs with DAST products 39% more effective, study finds (Computer Weekly)
- Suto strikes again, or getting the desired results regardless of data – Interesting points about the limitations of the data Larry was able to collect. However, its worth noting that doing WAF evasion and the other recommended steps would probably result in no report to ever be released because it would be extremely difficult and time consuming. Probably why there are no other such reports/analysis even close to what Larry has done. Hopefully Larry’s work will inspire others to pick up the challenge and take it to the next step.
- Bang for your buck: WAF configuration – Incorrectly assumes that NT OBJECTives produced the report, which I have explained in my comment on his bog. The report was performed by Larry Suto who does not and has never worked for NTO.
- I presented Not Your Granddad’s Web App @ HouSecCon 2011 – The conference was great this year. My talk went well and I had lots of response and good conversations as a result.
- Reviews of SOPA/PROTECT IP – Forcing honesty on the internet… ha!
- Cloud Security at HouSecCon 2011 – (MJ Keith’s technical preso)
- Imperva Announces Pricing of Initial Public Offering – Imperva going public tells me that WAF’s have hit the big time
- Fighting 0days With Fundamentals (DarkReading) – A bit of a counter-argument to signature based solutions, and all good points. I think Vinnie is right that developers need to continue to focus on security coding practices to avoid creating the security issues in the first place, but once the baby is born and running amok on the internet, we need to use solutions (DAST, SAST, WAF, IPS) to help protect them. Its never going to be either/or, its going to require both.
- “FIX IT!” Ain’t Gonna Cut It: Kicking Off a Software Security Remediation Project – A fantastic post from the Denim Group on how to improve the process of moving from “just fix it” to a well thought out development process with integrated security.
- The Twelve Web Security Truths – Nice little summary from my buddy Mike Shema
- Amex clueless about security–so what else is new? (Securiteam) – Amex under scrutiny, doesn’t inspire confidence with their lack of responsiveness
- Study of next-generation firewall deployments (Help Net Security) – I still don’t understand what qualifies a technology as a “Next-Generation Firewall (NGFW)” but if more than 50% of users are using NGFW’s doesnt that make them no longer “Next-Generation” as they are now the “Current” or “Modern” generation firewalls. Oh well, I guess that’s just me.
- Healthcare most breached industry in 2011 – Includes statement that life or death systems account for 5% but are on the rise.
- WYSINWYX: What You See Is Not What You eXecute – I’m still trying to dig through this 79 page paper, but it does go into some of the details about why source code scanning tools face some inherit limitations caused when compiled machine code behaves differently than expected. Every C/C++ developer out there has experience debugging these issues and fighting with that special form of hell. I bet Veracode liked this one due to their ability to work against the compiled code.
- WhiteHat Security Adds Common Vulnerability Scoring System to Sentinel Website Security Product – I think this is a great move, which we have done as well for our upcoming release of NTOSpider 6.0 (scheduled for release in Q1 2012).
- Joomla! security bypass weakness and XSS vulnerability (Help Net Security) – Not that important really, but a reminder that these things will continue to pop up with any popular framework
Leave a Reply